feat(konnect): add support for basic auth credentials for consumers (#625)

* feat(konnect): add support for basic auth credentials for consumers

* Apply suggestions from code review

Co-authored-by: Grzegorz Burzyński <[email protected]>

* chore: refactor getServiceRef

* fix: watch for consumer changes in CredentialBasicAuth reconciler

* fix: fix handling Consumer deletion for credentials

* refactor(konnect): refactor ReferencedKongConsumerIsBeingDeleted handling

* Update controller/konnect/errors.go

Co-authored-by: Grzegorz Burzyński <[email protected]>

---------

Co-authored-by: Grzegorz Burzyński <[email protected]>

Author: pmalek

.mockery.yaml

@@ -19,3 +19,4 @@ packages:
       PluginSDK:
       UpstreamsSDK:
       MeSDK:
+      CredentialBasicAuthSDK:

CHANGELOG.md

@@ -70,6 +70,8 @@
   the creation of a managed `KongPluginBinding` resource, which is taken by the
   `KongPluginBinding` reconciler to create the corresponding plugin object in Konnect.
   [#550](https://github.com/Kong/gateway-operator/pull/550)
+- Add support for `KongConsumer` credentials:
+  - basic-auth [#625](https://github.com/Kong/gateway-operator/pull/625)
 
 ### Fixed
 

config/rbac/role/role.yaml

@@ -125,6 +125,7 @@ rules:
 - apiGroups:
   - configuration.konghq.com
   resources:
+  - credentialbasicauths
   - ingressclassparameterses
   - kongclusterplugins
   - kongconsumergroups
@@ -143,6 +144,7 @@ rules:
 - apiGroups:
   - configuration.konghq.com
   resources:
+  - credentialbasicauths/status
   - kongclusterplugins/status
   - kongconsumergroups/status
   - kongconsumers/status

config/samples/konnect_kongconsumer_basicauth.yaml

@@ -0,0 +1,46 @@
+kind: KonnectAPIAuthConfiguration
+apiVersion: konnect.konghq.com/v1alpha1
+metadata:
+  name: konnect-api-auth-dev-1
+  namespace: default
+spec:
+  type: token
+  token: kpat_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+  serverURL: us.api.konghq.com
+---
+kind: KonnectGatewayControlPlane
+apiVersion: konnect.konghq.com/v1alpha1
+metadata:
+  name: test-cp-basic-auth
+  namespace: default
+spec:
+  name: test-cp-basic-auth
+  labels:
+    app: test-cp-basic-auth
+    key1: test-cp-basic-auth
+  konnect:
+    authRef:
+      name: konnect-api-auth-dev-1
+---
+kind: KongConsumer
+apiVersion: configuration.konghq.com/v1
+metadata:
+  name: consumer1
+  namespace: default
+username: consumer1
+spec:
+  controlPlaneRef:
+    type: konnectNamespacedRef
+    konnectNamespacedRef:
+      name: test-cp-basic-auth
+---
+apiVersion: configuration.konghq.com/v1alpha1
+kind: CredentialBasicAuth
+metadata:
+  name: basic-auth-1
+  namespace: default
+spec:
+  consumerRef:
+    name: consumer1
+  password: pass
+  username: username

controller/konnect/conditions/conditions.go

@@ -80,3 +80,17 @@ const (
 	// condition type indicating that the KongService reference is invalid.
 	KongServiceRefReasonInvalid = "Invalid"
 )
+
+const (
+	// KongConsumerRefValidConditionType is the type of the condition that indicates
+	// whether the KongConsumer reference is valid and points to an existing
+	// KongConsumer.
+	KongConsumerRefValidConditionType = "KongConsumerRefValid"
+
+	// KongConsumerRefReasonValid is the reason used with the KongConsumerRefValid
+	// condition type indicating that the KongConsumer reference is valid.
+	KongConsumerRefReasonValid = "Valid"
+	// KongConsumerRefReasonInvalid is the reason used with the KongConsumerRefValid
+	// condition type indicating that the KongConsumer reference is invalid.
+	KongConsumerRefReasonInvalid = "Invalid"
+)

controller/konnect/constraints/constraints.go

@@ -19,6 +19,7 @@ type SupportedKonnectEntityType interface {
 		configurationv1.KongConsumer |
 		configurationv1beta1.KongConsumerGroup |
 		configurationv1alpha1.KongPluginBinding |
+		configurationv1alpha1.CredentialBasicAuth |
 		configurationv1alpha1.KongUpstream
 	// TODO: add other types
 

controller/konnect/errors.go

@@ -2,6 +2,7 @@ package konnect
 
 import (
 	"fmt"
+	"time"
 
 	"k8s.io/apimachinery/pkg/types"
 )
@@ -35,3 +36,28 @@ type ReferencedKongServiceIsBeingDeleted struct {
 func (e ReferencedKongServiceIsBeingDeleted) Error() string {
 	return fmt.Sprintf("referenced Kong Service %s is being deleted", e.Reference)
 }
+
+// ReferencedKongConsumerIsBeingDeleted is an error type that is returned when
+// a Konnect entity references a Kong Consumer which is being deleted.
+type ReferencedKongConsumerIsBeingDeleted struct {
+	Reference         types.NamespacedName
+	DeletionTimestamp time.Time
+}
+
+// Error implements the error interface.
+func (e ReferencedKongConsumerIsBeingDeleted) Error() string {
+	return fmt.Sprintf("referenced Kong Consumer %s is being deleted (deletion timestamp: %s)",
+		e.Reference, e.DeletionTimestamp,
+	)
+}
+
+// ReferencedKongConsumerDoesNotExist is an error type that is returned when the referenced KongConsumer does not exist.
+type ReferencedKongConsumerDoesNotExist struct {
+	Reference types.NamespacedName
+	Err       error
+}
+
+// Error implements the error interface.
+func (e ReferencedKongConsumerDoesNotExist) Error() string {
+	return fmt.Sprintf("referenced Kong Consumer %s does not exist: %v", e.Reference, e.Err)
+}

controller/konnect/index.go

@@ -21,9 +21,11 @@ func ReconciliationIndexOptionsForEntity[
 	T constraints.SupportedKonnectEntityType,
 ]() []ReconciliationIndexOption {
 	var e TEnt
-	switch any(e).(type) { //nolint:gocritic // TODO: add index options required for other entities
+	switch any(e).(type) {
 	case *configurationv1alpha1.KongPluginBinding:
 		return IndexOptionsForKongPluginBinding()
+	case *configurationv1alpha1.CredentialBasicAuth:
+		return IndexOptionsForCredentialsBasicAuth()
 	}
 	return nil
 }

controller/konnect/index_credentials_basicauth.go

@@ -0,0 +1,32 @@
+package konnect
+
+import (
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	configurationv1alpha1 "github.com/kong/kubernetes-configuration/api/configuration/v1alpha1"
+)
+
+const (
+	// IndexFieldCredentialBasicAuthReferencesKongConsumer is the index name for CredentialBasicAuth -> Consumer.
+	IndexFieldCredentialBasicAuthReferencesKongConsumer = "kongCredentialsBasicAuthConsumerRef"
+)
+
+// IndexOptionsForCredentialsBasicAuth returns required Index options for CredentialBasicAuth.
+func IndexOptionsForCredentialsBasicAuth() []ReconciliationIndexOption {
+	return []ReconciliationIndexOption{
+		{
+			IndexObject:  &configurationv1alpha1.CredentialBasicAuth{},
+			IndexField:   IndexFieldCredentialBasicAuthReferencesKongConsumer,
+			ExtractValue: kongCredentialBasicAuthReferencesConsumer,
+		},
+	}
+}
+
+// kongCredentialBasicAuthReferencesConsumer returns the name of referenced Consumer.
+func kongCredentialBasicAuthReferencesConsumer(obj client.Object) []string {
+	cred, ok := obj.(*configurationv1alpha1.CredentialBasicAuth)
+	if !ok {
+		return nil
+	}
+	return []string{cred.Spec.ConsumerRef.Name}
+}

controller/konnect/ops/credentialbasicauth.go

@@ -0,0 +1,14 @@
+package ops
+
+import (
+	"context"
+
+	sdkkonnectops "github.com/Kong/sdk-konnect-go/models/operations"
+)
+
+// CredentialBasicAuthSDK is the interface for the Konnect CredentialBasicAuthSDK.
+type CredentialBasicAuthSDK interface {
+	CreateBasicAuthWithConsumer(ctx context.Context, req sdkkonnectops.CreateBasicAuthWithConsumerRequest, opts ...sdkkonnectops.Option) (*sdkkonnectops.CreateBasicAuthWithConsumerResponse, error)
+	DeleteBasicAuthWithConsumer(ctx context.Context, request sdkkonnectops.DeleteBasicAuthWithConsumerRequest, opts ...sdkkonnectops.Option) (*sdkkonnectops.DeleteBasicAuthWithConsumerResponse, error)
+	UpsertBasicAuthWithConsumer(ctx context.Context, request sdkkonnectops.UpsertBasicAuthWithConsumerRequest, opts ...sdkkonnectops.Option) (*sdkkonnectops.UpsertBasicAuthWithConsumerResponse, error)
+}